How can identify by powershell the user that has created an account.
regards
How can identify by powershell the user that has created an account.
regards
AFAIK AD does not track who created the user account. Therefore this information is not available. You can determine when an account was created but not by who. If you happen to see in the AD schema where this property is exposed then please provide the property name and we can demo how to get it in PS.
Hi,
You have to enable auditing on the domain and add a new entry with the permission "Create User objects". Then the activities will be recorded with the Event ID 4720 in the Security event log.

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Given that an AD is generally backed by multiple DC computers wouldn't the audit entry (assuming it doesn't roll over) be on the DC that generated the account? In that case to get the create user of an arbitrary AD user you'd have to comb through all the audit records on the DCs (assuming it still exists) before you could figure this out?
11 people are following this question.